Ubuntu has issued an advisory on April 8: https://ubuntu.com/security/notices/USN-7426-1
Source RPM: (none) => poppler-25.01.0-1.mga10.src.rpm, poppler-23.02.0-1.4.mga9.src.rpmStatus comment: (none) => Fixed upstream in 25.04.0 and patch available from UbuntuWhiteboard: (none) => MGA9TOOCVE: (none) => CVE-2025-32364, CVE-2025-32365
openSUSE has issued an advisory on April 8: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/7MHRTVNCUQHLCEUDCYX24NK4ID3BMFG5/
Status comment: Fixed upstream in 25.04.0 and patch available from Ubuntu => Fixed upstream in 25.04.0 and patch available from Ubuntu and openSUSE
Status comment: Fixed upstream in 25.04.0 and patch available from Ubuntu and openSUSE => Fixed upstream in 25.04.0 and patches available from Ubuntu and openSUSE
I think these are the patches for the 2 CVEs: https://gitlab.freedesktop.org/poppler/poppler/-/commit/1f151565bbca5be7449ba8eea6833051cc1baa41 https://gitlab.freedesktop.org/poppler/poppler/-/commit/d87bc726c7cc98f8c26b60ece5f20236e9de1bc3 Although assigning globally, ns80 might do this (already CC'd as bug creator).
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix a security vulnerabilities: A floating-point exception in the PSStack::roll function of Poppler before 25.04.0 can cause an application to crash when handling malformed inputs associated with INT_MIN. (CVE-2025-32364) Poppler before 25.04.0 allows crafted input files to trigger out-of-bounds reads in the JBIG2Bitmap::combine function in JBIG2Stream.cc because of a misplaced isOk check. (CVE-2025-32365) References: https://ubuntu.com/security/notices/USN-7426-1 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/7MHRTVNCUQHLCEUDCYX24NK4ID3BMFG5/ ======================== Updated packages in core/updates_testing: ======================== lib(64)poppler-cpp-devel-23.02.0-1.5.mga9 lib(64)poppler-cpp0-23.02.0-1.5.mga9 lib(64)poppler-devel-23.02.0-1.5.mga9 lib(64)poppler-gir0.18-23.02.0-1.5.mga9 lib(64)poppler-glib-devel-23.02.0-1.5.mga9 lib(64)poppler-glib8-23.02.0-1.5.mga9 lib(64)poppler-qt5-devel-23.02.0-1.5.mga9 lib(64)poppler-qt5_1-23.02.0-1.5.mga9 lib(64)poppler-qt6-devel-23.02.0-1.5.mga9 lib(64)poppler-qt6_3-23.02.0-1.5.mga9 lib(64)poppler126-23.02.0-1.5.mga9 poppler-23.02.0-1.5.mga9 from SRPM: poppler-23.02.0-1.5.mga9.src.rpm
Version: Cauldron => 9Status comment: Fixed upstream in 25.04.0 and patches available from Ubuntu and openSUSE => (none)Whiteboard: MGA9TOO => (none)Assignee: pkg-bugs => qa-bugsSource RPM: poppler-25.01.0-1.mga10.src.rpm, poppler-23.02.0-1.4.mga9.src.rpm => poppler-23.02.0-1.4.mga9.src.rpmStatus: NEW => ASSIGNED
MGA9-64 Plasma wayland on Compaq H000SB No installation issues. Tests from bug 32242: $ pdftohtml handleidingVM.pdf testpoppler.html Page-1 Page-2 Page-3 Page-4 Page-5 Page-6 Page-7 Page-8 Page-9 link to page 6 Page-10 Page-11 Page-12 $ firefox testpoppler.html Opens correctly with a page index as a lefthand column of links and the text and graphics to the right. $ pdftotext handleidingVM.pdf VM.txt Opened with mousepad and text is complete with indicators where graphical items occured in the original document. These indicators are not shown in kate. From bug 32600 $ pdfimages handleidingVM.pdf handvm [tester9@mach3 testpoppler]$ ls handvm* handvm-000.ppm handvm-001.ppm handvm-002.ppm handvm-003.ppm handvm-004.ppm handvm-005.ppm handvm-006.ppm handvm-007.ppm $ ls ha*.ppm | wc -l 8 $ pdfseparate -f 3 -l 10 handleidingVM.pdf page_%d $ okular page_* pages show up OK. Should be good enough.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA9-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2025-0134.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED